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ABSTRACT 



The invention is a system for protecting the security of 
computer files. It has hardware elements, including a 
programmable auxiliary memory and control unit along 
with associated software elements. The security subsys- 
tem is installed on the host computer btis so that it re- 
sides in the control logic, address, and data signal path 
between the computer storage device and central pro- 
ccssing unit. The security^ys tem is accessible by the 
euuip^cu vpciaimg^Ay^lfc ' iJTjtil ^ai^fcinsty^CT and 
initialization. Thereafter it is inaccessible to or by the 
operating system. Supervisor determined criteria for 
access permission to read, write and execute files are 
entered into the auxiliary memory system where they 
are prote cted from alteration. The security system will 

refuse to write dau to the file storage device when 
unauthorized operations have been attempted. When 
breaches of these types occur the security system can 
lock the computer against further activity until it is 
released by entry of a master password from supervi- 
sory or security personnel. The system maintains a pro- 
tected area in the computer memory device where, 
among other data , file signatur ^^^U valid files a re 
retained. ^^^^Mfi^^S^^mmo^^^^^^^^s 

^yste^^^ferail0f?5^^S!*5e*ai^^M^ checked for 
integrity. 

10 Claims, 28 Drawing Sheets 




11/13/2003, EAST version: 1.4.1 



Feb. 22, 1994 Sheet 1 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 Sheet 2 of 28 5,289,540 



TERMINAL 

/ BEGINS OR ENDS A \ 

t SEQUENCE OF J 

V OPERATIONS / 



DECISION 

TEST A CONDITION 
AND MODinES 
PROGRAM 
FLOW 



SUBPROCESS 

AN OPERATIONAL 
MODULE THAT 
PERFORMS A 
SPECIFIC SET OF 
OPERATIONS AND 
RETURNS TO THE 
MAIN PROCESS 



INPUT/OUTPUT 

INFORMATION/DATA 
THAT HAS ITS 
SOURCE OR 
DESTINATION 
OUTSIDE THE 

CURRENT PROCESS 



/ VIDEO 
( DISPLAY 
\JERMINAL 



OF PAGE 
CONNECTOR 



USER ENTRY 
KEYBOARD 




PROCESS 

PERFORMS SOME 
FUNCTION 



PREDIRNEO 
PROCESS 

PARAMETERS ARE 
PREDERNED 
l.e. NEEDS NO 
ARGUMENTS 




FIG.2 



11/13/2003, EAST Version: 1.4.1 




11/13/2003. EAST version: 1,4.1 



U.S. !»atent 



Feb. 22, 1994 



Sheet 4 of 28 5,289,540 




11/13/2003, EAST Version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 



Sheet 5 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 Sheet 6 of 28 



1 

ILLEGAL 
.COMMAND. 




SET 



/ DAL.FLG=FALSE \ 
\ DISALLOW DATA / 
\ COLLECTION / 



ILLEGAL 
COMMAND 
SET RETURN 
STATUS TO ILL.CMD 

MSDOS^ 
ERRCODE(03) 




END OF OPERATION 



9 



NO 



FIG.5 



2 

COMMAND 
PARAM 




GET NEXT 
PARAMETER 

CALL 
GEr_DATA 




DECREMENT 
PARAMETER 
COUNT 

V— PARM_CNT, 



1st 

13 PARAMS 
COLLECTED 
PARM_CNT=0 
? 

YES 



UNHLCODE 
OK 

9 




NO 



11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 



Sheet 7 of 28 5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent Feb. 22, 1994 



Sheet 8 of 28 



5,289,540 




U.S. latent 



Feb. 22, 1994 Sheet 9 of 28 5,289,540 




NO 



ERR_STAT= 

DEV_STAT, 
NUIiLUNITS=0, 
FRB_MEIyLADR=0 



FATAL 

DEVICE ERROR ON FSS 
CALL SYSTEM 
ADMINISTRATOR 





^ (CONT. ON SECOND SHECT) 



FIG.? 



11/13/2003, EAST version: 1.4.1 



Feb. 22, 1994 Sheet 10 of 28 



5,289,540 



ADD BPB BtTlS 
19 THRU 30 








Iyes 






X MSDOS \^ 


.NO 






V ver8>=4.0 y 












ADD BPB BYTES 






13 THRU 18 






t YES 






X MSDOS \. 


, NO 


SET INTERRUPT 


\ ver8>3.0 X 


VECTORS 







(CONT. FROM 
RRST SHEET) 



GET BIOS 
PARAMETER 
BLOCK (BPB) 

FOR EACH 
UNIQUE UNFT 



FIG.7(cont.) 



RETURN 
RH_STAT= 

DEY»STAT, 
RH.UNITS= 

NUM^UNITS, 

RH_FRE= 

FRE.MEM_ADR. 
RH_BPB= 

BPB (POINTER) 



C 



END INIT 
DONE=TRUE 



) 



11/13/2003, EAST version: 1.4.1 



U.S. Patent Feb. 22, 1994 



Sheet 11 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



IJ.S. Patent 



Feb. 22, 1994 



Sheet 12 of 28 



5,289,540 




11/13/2003, EAST Version: 1.4.1 



\J,S, Patent Feb. 22, 1994 sheet 13 of 28 5,289,540 



cmd-03 
lOCTL RD 




CALL 
CHK USR 





RETURN 
UNSUPPORTED 
COMMAND 

DEVSTAT=ERR 03 



GET DATA TRANSFER 
ADDRESS 

DMA ADR = RH XADR 



GET NUMBE 
BYTES/SEC 
TRANSFER 

XFR_CNT = 


:rof 

TORS TO 
RH_XCNT 






GET STARTING SECTOR 
(LOGICAL) FOR 
TRANSFER 

STR_SECT = RH_XSS 



CONVERT LOGICAL 
STARTING 

SECTOR(STR_SECT) TO 
PHYSICAL DEVICE 

HEA0{0EV_HD), 

TRACK(DEV.TRK), 

SECTOR(OEV.SECT) 



CALL 
DEV SEEK 




SET UP DIRECT 
MEMORY ACCESS (DMA) 
PARAMETERS AND 
INITIATE DMA 
TRANSFER FROM 
DEVICE TO MEMORY 



CALL 
DMA WR 








RETURN 
RH STAT = 

"DEV STAT, 
RH CNTX= 

CNT DONE 










FIG. 10 



.END IOCTL_RD 
DONE = TRUE 



11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 Sheet 14 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 Sheet IS of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 Sheet 16 of 28 



5,289,540 




11/13/2003, EAST Version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 Sheet 17 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S, Patent Feb. 22, 1994 sheet 18 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 



Sheet 19 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent Feb. 22, 1994 sheet 20 of 28 5,289,540 




RETURN 
UNSUPPORTED 
COMMAND 

DEVSTAT=ERR03 



GET DATA TRANSFER 
ADDRESS 

DMA ADR = RH XAOR 



GET NUMBER OF 
BYTES/SECTORS TO 
TRANSFER 

XFR CNT = RH XCNT 



GET STARTING SECTOR 


(LOGICAL) 


FOR 


TRANSFER 




STR_SECT 


= RH_XSS 







CONVERT LOGICAL 
STARTING 

SECTOR(STRSECT) TO 
PHYSICAL DEVICE 

HEAD(DEYJD), 
TRACK(DEV_JRK), 
SECTOR (OEV_SECT) 



CALL 
DEV SEEK 




SET UP DIRECT 
MEMORY ACCESS (DMA) 
PARAMETERS AND 
INITIATE DMA 
TRANSFER FROM 
MEMORY TO DEVICE 



CALL 
DMA WR 




RETURN 
RHJTAT = 

DEV_STAT, 
RH_CNTX = 

CNT DONE 



FIG. 14 



END lOCTLJdfR 
DONE = TRUE 



11/13/2003, EAST version: 1.4.1 



U.S. Patent 



Feb. 22, 1994 Sheet 21 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



tJ.S. Patent 



Feb. 22, 1994 Sheet 22 of 28 5,289,540 




11/13/2003, EAST version: 1.4.1 



Patent Feb. 22, 1994 sheet 23 of 28 5,289,540 




GET MAJOR NUMBER TO 
DETERMINE CATAGORY 
OF OPERATION 



MAJ_NUM = RK_MAJOR 

GET MINOR NUMBER TO 
DETERMINE FUNCTION 
TO PERFORM 

MINOR = RH_MINOR 

t 

GET lOCn DATA 
PACKET 

DAT_PAC = RH_DPAC 





RETURN 

RH_STAT = 
DEV_STAT 


PERFORM OPERATION 
DERNED BY DRIVER 
FOR MAJOR & MINOR 
NUMBER PLUS INFO 
IN DATA PACKET. 

JUST RETURN STATUS 
TO OPERATING SYSTEM 






/ END 

GEN.IOCTL 
V DONE = TRUE . 



11/13/2003, EAST version: 1.4.1 



0 



U.S. Patent Feb. 22, 1994 sheet 24 of 28 5,289,540 




RETURN LAST LOGICAL 
DEVICE LETTER 

SUPPORTED BY THIS 
PHYSICAL DEVICE. 
ZERO BASED 



IF ONLY ONE LOGICAL 
DEVICE IS SUPPORTED 
RETURNS 0 

t 

DEV_LAST = 
lAST(PHYSuDEV) 



RETURN 


DEV.LAST, 




RH_STAT = 


'■ DEV.STAT 







/ END \ 

V DONE = TRUE J FIG. 17 



RETURN 
UNSUPPORTED 
COMMAND 

DEY_STAT=ERR_03 



11/13/2003, EAST version: 1.4.1 



U.S. Patent Feb. 22, 1994 



Sheet 25 of 28 



5,289,540 




cmd.24 
SET-OEV 



DEY^NEXT = RH.UNfT 



NEXT LOGICAL DEVICE 
IDENTinER TO BE USED 
TO REFERENCE THE 
PHYSICAL DEVICE, 
ZERO BASED 



RETURN 
UNSUPPORTED 
COMMAND 

DEY.STAT=ERR_03 



RETURN 



RH.STAT = DEV.STAT 



END 
SET_DEV 
DONE = TRUE 



) 



FIG. 18 



11/13/2003, EAST version: 1.4.1 



Patent 



Feb. 22, 1994 



Sheet 26 of 28 



5,289,540 




11/13/2003, EAST version: 1.4.1 



U.S. Patent Feb. 22, 1994 sheet 27 of 28 5,289,540 




so DMA CHANNEL = 
READ FROM DEVICE TO 
MEMORY 



SET MEMORY ADDRESS 
FOR START OF 
TRANSFER 



ENABLE DMA CHANNa 
REQUEST SIGNAL 

(START DMA) 

I 



DECREMENT 
TRANSFER 
COUNT 
XFR.CNT = 
XFR_CMT-1 



RETURN 
DEY.STAT, 
CNT_DONE 



NEXT DMA 
TRANSFER 




INCREMENT TRANSFERS 
COMPLETED COUNT 
CMT.DONE = 

CKT_D0NE+1 



END DMA.WR 
RETURN TO CALLER 



FIG.20 



11/13/2003, EAST version: 1.4.1 



U.S. Patent Feb. 22, 1994 



Sheet 28 of 28 



5,289,540 




SET DMA CHANNa = 
READ FROM MEMORY 
TO DEVICE 

t 

SET MEMORY ADDRESS 
FOR START OF 
TRANSFE R 

ENABLE DMA CHANNEL 
REQUEST SIGNAL 

(START DMA) 

T 

DECREMENT 
TRANSFER 
COUNT 
XFR.CNT = 
XFR_CNT-1 



NEXT DMA 
TRANSFER 




END DMA.RO 
RETURN TO CALLER 



INCREMENT TRANSFERS 
COMPLETED COUNT 
CNT_DONE = 

CNT_D0NE+1 



FIG.21 



11/13/2003, EAST Version: 1.4.1 



5,289,540 

1 2 

environment is one in which software development is in 
COMPUTER FILE PROTECTION SYSTEM progress. Generally there is no mechanism for protect- 

ing files on a computer system from damage by errant 
This is a continuation application of Ser. No. programs. Valuable files can easily be destroyed requir- 
07/340,886, filed Apr. 19, 1989, now U.S. Pat. No. 5 ing many hours, days or weeks for reconstruction. 
5,144,659. Another source of innocent error is accidental era- 

A portion of the disclosure of this patent document sure or modification of files. This can result from a 
contains material which is subject to copyright protec- simple mistake on the part of the operator and may or 
tion. The copyright owner has no objection to the fac- may not be salvageable. Most of the commonly used 
simile reproduction by anyone of the patent disclosure, 10 operating systems for individual or networked comput- 
as it appears in the Patent and Trademark OfHce patent ers allow files to be erased or modified with simple 
files or records, but otherwise reserves all copyrights commands that do not prompt or question the user 
whatsoever. before proceeding. 

TjAz-voBniTxiT^ nt: TOTixn/cxmr^xi Computer security has itself become a recognized 

BACKGROUND OF THE INVENTION ^^^^^ profession. The most common 

The present invention is a method for protection of method of minimizing problems from intrusive sabotage 

computer files from unauthorized access and/or modifi- is to incorporate softw&re in the computer system that 

cation and from unintentional damage. It is particularly checks for known types of viruses and/or periodically 

useful for protection of files against malevolent tamper- checks the integrity of the files in the system. There are 

ing and sabotage. 20 a number of variations on the software approach to 

A problem of serious and potentially disastrous pro- protection. One method of checking file integrity is to 

portions exists in the protection of computer files from perform a test of each file which results in a unique 

unauthorized modification. This ranges from unautho- ''signature" for the file. This method is reasonably ro- 

rized but benign entry by unethical computer buffs, bust but it is somewhat time consuming. Most often, the 

who regard it as a personal challenge to fmd ways to 25 signature is generated using a Cyclic Redundancy Code 

enter a system, to deliberate and criminal sabotage of (CRC) algorithm. This test does nothing to cure a file 

stored data and software. The extent of computer crime which might have become infected but it does identify 

has grown markedly as criminal elements, now aware of files which have been infected since they were last 

the possibility for ill gotten gain or vengeance, have tested. To be truly effective the test should be run each 

achieved a hitherto unknown level of sophistication. 30 time a file is accessed. However, in most cases this 

Much of the computer crime that does occur is little would impose such a large overhead as to make the 

publicized. This is to minimize its consequences and to system non-productive. 

avoid encouragement of others who might find it attrac- A second method is to incorporate a software pro- 

tive. In addition to the possible enormous consequences gram which checks each file as it is used for a set of 

for business, education, and general government opera- 35 known types of infection. Several problems exist with 

tions, the implications for defense could be of the nature this approach. First, a number of viruses are self-modi- 

of a major national disaster. fying. By that is meant that they change their character- 

An especially pernicious form of file modification is istics specifically in order to thwart this kind of protec- 

known as a "virus". The analog to a biological virus is tion. Second, new viruses unknown to the protection 

readily apparent. A computer virus is designed to attach 40 program may be introduced into the file system and 

itself to a program already on the computer. The result these will not be recognized. A third problem is that of 

is a program that is "infected". This usually occurs in a overhead. It may be so great as to significantly reduce 

manner that, at least initially, is unapparent to the legiti- the usefulness of the system. 

mate user. The infected target files are usually un- Another method provides a hardware module which 

changed until some predefmed event or events take 45 can be programmed to write protect the entire file sys- 

place. At this time the virus embedded in the infected tem. This method is clearly foolproof but poses such 

files activates. The action taken when the virus is trig- cumbersome limitations that it has only limited useful- 

gered may range from a harmless message flashed ness. Most business or scientific applications and virtu- 

throughout the system to the complete destruction of all ally all program development environments require the 

files in the infected system. A virus must, by definition, SO ability to modify files. As one example, the files in a 

modify a file stored in the system in order to propagate database application are usually continually updated by 

itself. A virus recently propagated within three days new additions and deletions. The hardware write pro- 

throughout a nationwide computer network and caused tect approach appears to have merit only in those un- 

damage in excess of $10 million. usual instances where an application does not require 

Other forms of computer file vandalism are known 55 the file system to be modified. If software support is 

within the computer profession as "worms", "Trojan used to determine when a file can be modified, it is 

horses", and "bombs". All such programs modify the susceptible to the same problems and disadvantages of 

file system in some manner in order to perform their the other software approaches, 

intended function. While the above terms have specific A fourth method uses passwords and other user spe- 

meaning to computer scientists, for the sake of conve- 60 cific security protection to limit access to the file sys- 

nience they will all be classified here as "viruses" since tem. This is desirable and should be common practice in 

their operation, intent and methods of prevention are in most computer networks. But it does not prevent the 

most ways very similar. problem of virus entry. One of the most destructive 

Computer files are also subject to innocent errors viruses reported to date infected over 5000 computers, 
resulting from accidental and unintended mistakes. 65 all of which had a password and user permission-based 
Within a given environment the effect may be as dam- file system. The most common use of this type of pro- 
aging as a virus. However, such errors generally do not tection is found on computers based on the UNIX oper- 
spread to other computers. A particularly vulnerable atingsystem. Unix is a trademark of AT&T Information 
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Systems, New York, New York, for a linked multi- In general, the hardware elements of the system are 
workstation computer system. In regard to accidental integrated with a controller for mass storage of the file 
file erasure, a number of products are available with an system, although this is not always necessary. The pro- 
•*unerase" feature. These take advantage of the way cess can be just as easily incorporated into a local net- 
most files are removed from a directory by the operai- 5 work (LAN) controller, a communications controller, 
ing system. The operating system simply indicates that or a main processor board for a system. In its broadest 
the storage space of the deleted file is now available for form, the present file security system could be applied 
new files, without actually physically erasing the earlier to a wide variety of situations where access to critical 
material. The unerase software restores the deleted file data must be controlled. 

name back into the directory. However, it can function 10 The invention includes a programmable auxiliary 
successfully only if the storage space occupied by the memory and auxiliary control unit. These can be at- 
deleted file has not been overwritten. The process of tached to the host computer bus in a manner so that 
attempting to recover an accidentally erased file is time they are in the control logic, address, and data signal 
consuming and can sometimes result in a corrupted file path between the central processing unit and the file 
even under the best of circumstances. 15 storage system. However, once installed in the corn- 
Finally, any software based system of virsus protec- puter system, the file security system is inaccessible to 
tion has an inherent flaw that can itself be fatal. The or by the host computer operating system. Access to the 
very software that is intended to protect against infec- file security system is possible only by using a unique 
tion can itself be the source of a virus. This very prob- password held by the appropriate supervisory and/or 
lem recently occurred with a suite of commercial pro- 20 security personnel. Access may be established on a 
grams, touted as the ultimate in anti-virus protection. hierarchical basis so that for some designated operations 
The case in point was apparent sabotage by a disgrun- more than one individual must enter passwords in 
tied employee of the software firm marketing the pro- proper sequence. 

tection system. An untold number of infections oc- The supervisory personnel will choose and enter the 

curred and the manufacturer now faces an enormous 25 appropriate criteria for access permission to read, write, 

liability for damage caused by his product. and execute operations for all files to be protected. 

Any security system, intended to provide protection These criteria will be specific to each user or user 

for file systems, which is accessible to the general user group. The file security system can be programmed for 

through standard system resources can potentially be graduated levels of security and lockout for various 

breached. Whether software based on hardware based, 30 types of users. 

if the protection system can be accessed via normal Upon receiving valid user identification, the auxiliary 
system resources, then it can be bypassed or, even memory and control unit will indicate to the host corn- 
worse, used to camouflage a virus. A user who thinks puter operating system which files are accessible to that 
the file system is protected is often complacent and less user and the nature of the operations that can be per- 
alert to the possibility of an infection. This often leads to 35 formed on the files. Similariy, users with invalid entry 
a virus doing extensive damage before it is even noticed. criteria for the files requested will be denied entry and 
Cognizant of the above noted shortcomings in exist- the file security system will refuse to allow data to be 
ing file security systems, the present invention repre- written into the host computer file system when unau- 
scnts a major improvement that greatly reduces and thorized operations have been attempted, 
tightly controls the number of potential access points 40 In many linked computer systems each computer 
for virus entry without compromising convenience and central processing unit has its own associated file sys- 
utility for the general user. tem. Usually, the file systems of every individual com- 

QTTibfviAPv r\T: Twc TKTvrcxrrTrMa P"^^^ ^ ^ linked system are electronically available to 

SUMMARY OF THE INVENTION ^^^^ ^^^^ ^^^^^^^ ^ ^^^^ preferably, 

The present computer file security system has both 45 the file security system of the present invention should 

hardware and software elements. Unlike any other sys- be used to protect each file system in a given linked 

tem known to the present inventor, once installed, the computer system. This would require associating a se- 

protective elements of the system are completely inac- curity system with each file storage device in the sys- 

cessible to the general user. The system provides essen- tem. However, it is quite possible to protect some of the 

tially absolute protection against inappropriate modifi- 50 computers in the system while leaving others unpro- 

cation of all designated files held within the computer tected. Some linked systems are constructed with a 

memory device. central file storage device, or file server, which is tied to 

The file system protection process operates by inter- a number of different computers, each having its own 

cepting the file system data path between the central central processing unit In this case a single file security 

processing unit and the file storage or memory device. 55 system is adequate to protect the entire network. The 

The requested operation is processed according to the file security system of the present invention is equally 

criteria established by the supervisory and/or security suitable for use on a single terminal computer, 

personnel of the computer system. An elaborate and _ 

virtually unbreakeable system of access eliminates any ^^^^ DESCRIPTION OF THE DRAWINGS 

chance of file corruption by a general user. 60 FIG. 1 is a simplified block rfin gr nm of a hardware 

The security subsystem is accessible by the computer card showing one implementation of the present inven- 

operating system for initialization and modification only tion. 

during an installation stage. After that time the security FIG. 2 is an index to the symbols used in the follow- 

subsystcm is inaccessible to or by the operating system. ing process flow diagrams. 

Each time the security subsystem sends an error mes- 65 FIGS. 3-6 are process flow diagrams showing the 

sage to a user it is checked for file integrity. At this time basic logic of the file security system, 

it takes possession of and disables all other access to the FIGS. 7-18 are subproccsscs associated vwth the 

computer central processing unit. basic process logic. 
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FIG. 19 shows a subprocess used within the various 
other subprocesses. 

FIGS. 20 and 21 show direct memory access read and 
write subprocesses used within the various other sub- 
processes. S 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

Most of the terms and abbreviations used herein are in 
common use and well understood by those skilled in 10 
computer science. However, the following defmitions 
will unequivocally set their context for the present in- 
vention. 

ADR, ADDR address 

ATRIB attribute 15 

AUTH authorized 

BIOS basic mput/output system 

BLD build 

BPB Bios parameter block 

BUS bus (conunand, address, or data) 20 
BZY busy 
CHG change 
CHK check 
CMD command 

CNT count 25 
CNTRL control 

CNTX number of increments successfully transferred 
CPU central processing unit 
CRC cyclic redundancy check 

CRTL conuol 30 
DAT data 
DEV device 

DMA direct memory access 
DPAC data packet 

DSTR 32 bit starting logical sector 35 
ERR error 
ERRS errors 
FLG nag 
FRE free 

FSS file security system 40 
GEN generic 
GET get 
HD head 
HDR header 

IBM-PC a personal computer manufactured by Interna- 45 

tional Business Machines Corporation. 
ID identity or identification 
ILL illegal 
INIT initialize 

lOCTL input/output control 50 
LBL Ubcl 
LOG logical 
MAJ major 
MEM memory 

MS-DOS Microsoft Disk Operating System 55 
MTY empty 
NUM number 
PAC packet 
FARM parameter 

PC-DOS IBM Personal Computer Disk Operating Sys- 60 
tem 

PHYS physical 
PREV previous 
PTR pointer 

QUE queue 65 
RD read 

RH request header (from MS-DOS) 
RMV remove, removable 



SECT sector 
SEEK seek 
SET set 
STAT status 
STR starting 
SYS system 
TBL table 
TRK track 
TYPtype 

TSR terminate and stay resident 
USR user 
VFY verify 
VOL volume 
WR write 

XADR transfer address 

XCNT number of increments requested to be trans- 
ferred 
XFR transfer 

XSS starting section for transfer 

The term "bus" or "host computer bus" refers to the 
electronic paths within the host computer that carry 
address, control, and data signals. The "address bus" is 
a collection of electronically continuous lines used to 
provide a unique location for access to a system re- 
source such as memory or input/output devices. The 
"data bus" is a similar collection of lines used to pass 
information between locations determined by the ad- 
dress bus. The "control bus" is a similar collection of 
electronically continuous lines used to define the kind of 
operation to be performed on a system resource. As an 
example, the "memory read line" (MEMR) of the IBM- 
PC control bus specifics that the operation to be per- 
formed is to read the contents of memory at the location 
specified by the address bus and place that information 
on the data bus. While a bus is most usually regarded in 
terms of electrical conductors, it should be considered 
more broadly in terms of the present invention. As used 
herein the term "bus" should be considered to also 
include any alternate means of data interface with the 
CPU of the computer system that would serve the same 
purpose as conventional electrical conductors. A fiber 
optic system could be one such alternative. In its broad- 
est context a "bus" is any means or method that carries 
information between the computer system and any pe- 
ripheral devices and which provides control and data to 
a file storage device. It does not matter whether the 
device is internal or external to the computer itself. 

A "device" is any physical piece of equipment inte- 
gral with the computer system, such as a mass storage 
unit, printer^ console, etc. In terms of internal communi- 
cation within the computer a "device" is treated or 
considered in the same manner as a file would be. A 
"logical device" is a method of mapping a physical 
device to hide its real characteristics from the operating 
system. Although multiple physical devices could be 
mapped to a single logical device, a more common 
approach is to map a single physical device to multiple 
logical devices; e.g., a single 64 megabyte hard disk can 
be mapped to two 32 megabyte logical devices. 

"Direct memory access" (DMA) is used to move data 
between memory and a device by taking control of the 
address bus, data bus and control bus. The CPU is dis- 
abled during the DMA cycle. 

A "logical sector address" enables the use of logical 
addressing by operating systems to access mass storage 
devices and hides the physical characteristics of the 
device. Logical addressing provides significant im- 
provements in device independence of the operating 
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system. The conversion of logical address to physical System and Personal Computer Operating System), 
address is device dependent. MS-DOS is a registered trademark of Microsoft Corpo- 

"Parameters" when used with a process are data ration, Redmond, Wash, and PC-DOS and IBM are 
passed to the process. When referring to a device they registered trademarks of International Business Ma- 
are the constants that define the device; e.g., the number 5 chines Corporation, Armonk, N.Y. The present inven- 
of heads, secton per track, etc. tion is suitable for use with these as well as other operat- 

A "pointer" is an "object" or variable used to hold ing systems such as CP/M, VMS, or UNIX. CP/M is a 
the address of another object; i.e.. it "points" to the registered trademark of Digital Research, Pacific 
other object. The context of the term "object" is a vari- Grove, Calif. VMS is a registered trademark of Digital 
able used to hold an address within the addressable 10 Equipment Corporation. Maynard, Mass. UNIX is a 
range of values of the main CPU. The pointer is used to trademark of AT&T Information Systems, New York, 
indirectly store or retrieve other variables. N.Y, This list should be considered as exemplary and is 

"Programmed I/O" describes input or output opera- not inclusive of the many other operating systems suit- 
tions which are controlled by the CPU. This type of able for use in conjunction with the present invention. 
I/O is generally used to write to the device control 15 Whatever the operating system, there is a minimum 
register and read froni the device status register. Data set of file system operations that must be available. This 
transfers are usually handled by direct memory access. set must include: 

A "queue" is a form of temporary storage used to (1) A means of listing the files available on the system 
allow asynchronous data fiow between the source and to a terminal or display; 

destination. A common form of queue is to allow data to 20 (2) A method of providing unique names and internal 
continue to be placed in a waiting list, to avoid having addresses for the files; 

the data source wait, while a slower process operates on (3) The ability to create a new file, to write informa- 
the list. The queue is monitored to prevent overflow. If tion to a file, to read information from a file, and to 
the queue fills the process sourcing the data must wait change the size of a file by adding or deleting informa- 
until the data consumer has removed data. 25 tion; and 

A "register" is a location used to hold information (4) The ability to remove a file from the system, 
associated with an operation. "Device registers" hold To implement this minimum set of file system opera- 
either control information, status of device after opera- tions there is an attendant set of hardware and software 
tion, or data. A "control register" is a device register functions. While these functions vary in complexity and 
used to select the fimction to be performed by the de- 30 capability the following is a representative minimum 
vice. A "data register" is used to hold data for transfer set. 

to and from the data bus under program control. (1) A means of storing files. Usually this is a mass 

A "terminate and stay resident" (TSR) program is storage device such as a fixed disk or one of the other 
one that remains in memory after initial activation. The types previously noted. The file system must be capable 
file security system uses such a program to communi- 35 of handling files in a manner consistent with the require- 
cate with the user; e.g., "Access Not Authorized" or ments of the operating system. 
"Invalid Password". (2) A method of formatting the storage medium to 

Before describing the present invention in detail, it meet the needs of the file system. The format generally 
could be helpful to the general reader to very briefly involves sectioning the storage medium in such a way 
review the essential elements of a digital computer most 40 that the translation between a logical location and a 
closely related to operation of the invention. All com- physical location is minimized. The operating system 
puters have a central processing unit (CPU) and a file deals with logical addresses of information while the 
storage device. The latter may include a fixed or "hard" actual storage device operates on physical addresses, 
disk, one or more flexible or "floppy" disks, a magnetic (3) A means of passing commands to the storage 
tape imit, or an optical device such as a laser read com- 45 subsystem. This typically is a hardware card that inter- 
pact disk unit. The CPU and storage device are joined faces the addresses and data from the system bus to the 
electronicaUy by a bus system that carries address, con- storage subsystem hardware. 

trol and data signals. The electrical path may not always (4) A means of implementing commands to (a.) posi- 
be electrically direct; i.e. there may be intervening oper- tion or index the storage media to a known starting 
ations on the signals, but the bus maintains the main 50 position, (b,) read from a specific location on the me- 
route of electronic communication between the two dium and make the information available to the system 
units. Other devices such as disk controllers, etc. are bus, and (c.) write information from the system bus to a 
essential to operation but are peripheral to the present specific location on the medium. In the latter two cases 
explanation. the information is moved directly into and from the 

In addition to the basic electronic "hardware", the 55 system read/write memory by a mechanism known as 
computer must have a software package known as an direct memory access (DMA), 
"operating system". This serves to enable and supervise The file security subsystem may be likened to a gate 
the flow of signals between the various hardware ele- and gate tender on the pathway linking the CPU and 
ments of the computer, such as the CPU and file storage file storage subsystem. Only information that meets a set 
device, and between the computer and operator. The 60 of predefined criteria is allowed to pass. Once placed in 
operating system is not an operations software program, position, the gate is impregnable to any changes in the 
such as a data management or spread-sheet tool would criteria that an unauthorized person might attempt to be 
be, but it is essential to their use. made via the operating system. Changes can only be 

A number ofwell known operating systems are avail- made by an appropriate security director having the 
able for computers of different types and capabilities. 65 master access password. ^ 
Two of the most popular products are very similar and This location in a computer is unique for a file secu- 
arc intended for use with personal computers. These are rity system. The only other subsystem placed astride the 
known as MS-DOS and PC-DOS (Microsoft Operating main bus in similar fashion is an encryption/unencryp- 
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tion device. It is emphasized here that the file security decision is made to override, the file signature can be 

subsystem in not, nor is it in any way analogous, to an updated so that the next startup will accept the modified 

encryption device. It may include an encryption device file. 

but this would be entirely ancillary to its main function Programs run by the user arc consistency checked as 

and operation. 5 they are loaded into the system memory for execution. 

Because they are so well known and in such common As in the startup phase above, any corruption of a file 

use, the description of the invention that is to follow will result in disabling the write circuitry, user notifica- 

will be based on the use of the PC-DOS or MS-DOS tion, and system lockup pending supervisory action, 

operating systems used with IBM or IBM-type personal jhe file security system will detect any attempt to 

computer equipment However, it should be understood 10 install new fdes on the system via the disc drives, serial 

that ^ is done for the sake of convenience and simplic- interface, supported local area networks, or by any 

ity of description and the invention should not be con- executable file. This applies even if the new file is gencr. 

sidered as lumtcd to these or any other operatmg sys- ^ted on the workstation itself. 

tc^or computer equipment. The system administrator has a great deal of flexibil- 

. ^^/^^^^;^^^y5»^y5t«^ 15 j^^^^ Certain features can be 

tern attached to Aeho^^^ Tins pro- disabled or expanded at the discretion of tiie administra- 

vidcs the elasticity needed to minimize delays associated ^^j. 

are queued up forW- 20 Srf't;:eS^^^^^^ 

During^stallation of the file security subsystem llTnJ "Vrf^^ system entries at- 

(FSS), a set of file access criteria are entered and Stored K^.T^ a !^ "^"^ or passwords, teimnal 

in nonvolatUe memory in the FSS and also written to a ^^^'^^j^f' transaction log is 

portion of the host computer file storage device which 25 ^^^^f^^e only to supervisory people posscssmg the 

is subsequently marked as inaccessible to the operating password to the fUe s«:unty system, 

system. These criteria are used by the protection pro- It can be seen from the above d^nption Uiat by 

cess to determine the type of access authorized on a C"**" ^"""^^^ "^""^ ^""^ between 

specific system. After installation the file security sys- ^^^^'^'^^ " invisible 

tern is accessible only by use of a master password that 30 ^° operatmg system, the computer file system is 

wiU presumably be known only by an appropriate secu- protected against deliberate tampering from cither local 

rity director or system administrator. sources or those at other linked locations. Corrupted 

The file access criteria will include the names of files refused entry by write protecting the storage 
which are to be protected at all times. These will gener- device. Even in the event tiiat such files should some- 
ally be the basic executable files that constitute the 35 ^tnd entry, they are detected and identified and the 
application for which tiie system is intended, as well as system is locked before the corrupted files can do the 
any utility and system files used by or in support of the intended damage. This protection is equally important 
application. The access criteria will also contain the guarding the system from damage by benign errors 
names of files that are allowed to modify specified files that frequentiy occur during program development, 
along with the type name of the specific files which may 40 ^ ^^^y important part of the file security system is its 
be modified, terminate and stay resident (TSR) program. In the 

Other access criteria are relatively conventional. The c^^nt of entry being denied to the system for some 

user may be required to enter a login code which can be reason, or an unauthorized operation being attempted, 

associated with a specific directory, group of files, or the TSR program will send an error message to the 

both. The login code can then be used as a test for a 45 However, before each use the TSR program is 

password; i.e., if the password given is not authorized itself checked for file integrity. During the time the 

for the login group entered, the user will be denied TSR program is active it lakes possession of and dis- 

acccss, even if the password is otherwise valid. This, in aWes all other access to the CPU. Further the TSR 

effect, provides a double password system. program directiy accesses the keyboard, bypassing all 

^ « 50 system software. 

Operation of tiie File Sccunty System Specific operation of tiie file security system hard- 
I startu p, th e file security svs t em^KilLchcckath^ ware and software can best be understood by now refer- 
flles Js SjfeaiSF'wT^^^ ring to the Figures. FIG. 1 is « simplified block diagram 
teSaai^l^g^otfe'Dv comparing the file signatures or showing one version of a hardware implementation, 
the active files with those held in an archival status in a 55 Given this diagram, the specific construction of the unit 
portion of memory within the file storage device that is will be evident to one skilled in computer science, 
inaccessible to the operating system. The same check FIG. 2 is a symbol legend to the process logic dia* 
can be made for any change in file signature of all exe- grams shown in FIGS. 3-21. Reference to these dia- 
cutable files. As was noted earlier, a unique signature grams will convey a full best present mode disclosure to 
for each file can be generated; e.g., by using a cyclic 60 one skilled in the art. A step-by-step verbal description 
redundancy code algorithm. If any inconsistency is is not only not necessary but would be redundant 
found during startup, the file system storage device is The basic outline of the process logic is shown in 
write protected by the file security system and the user FIGS. 3-^. FIG. 6 ties by the various offpage connector 
notified. The file which caused the warning is identified symbols to subproccsscs shown in FIGS. 7-18. FIG. 19 
and the system is effectively locked until corrective 65 is a subprocess used within the various other sub- 
action is taken. This might include removal and replace- processes. FIGS. 20 and 21 show direct memory access 
ment of the affected file or an override by the system subprocesses also used in the various other sub- 
administrator who must use the master password. If the processes. 
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Having thus disclosed the best mode known by the 3. The file protection system of claim 2 which further 

inventor of making and using his invention, it wUl be includes means for checking the fUe signature of each of 

evident to those skilled in the art that many variations the ffles stored in the ffle security subsystem with Ae 

are possible without departing from the spirit of the archived fUe signatures of the fJes stor«l tn the file 

invMtion. The invention should be considered as being 5 security subsystem for corxesqpondence pnor to notify- 

limited only as it is described in the appended claims. m « user that entry has been demed or an unauthorized 

I claim operation has been attempted. 

1. A computer file protection system for a digital The fUe protection system of claim 1 wherein the 

computer acLsible for storing files and intercomiected ^ ^o^^™,^^ 
with a central processing, unit by a bus carrying control •«> lat.on indudes means requirmg entry of a proper master 

loocsienals. address signals, and data signals, said com- P*?^ ^. ^ , ,• . 

said digital computer which compri^^^^^ « ?^ ^ ^^^^^^^ 5 f^^her in. 

mable auxihary memory and a control unit; dudine 

(b) means for attaching said programmable auxiliary determining a file signature for each one 
memory and said control umt to the bus m a man- ^inent files within the digital computer; 
ner so that it resides m the bus between said fUe ^^^^ ^ signatures 
storage device and said central processing unit; archival reference in the protected storage area; 

(c) means for aUowing access to said file security « . ^^^^ comparing the unique file signatures 
subsystem by the computer operatmg system for ^^^^^^ ^ ^. ^ protected area with the current file 
initialization and modification only dunng an in- signature of any file prior to permitting access to 
stallation stage of. the file security subsystem by ^ ^^y. 

said computer operating system following said (i) means for write protecting the storage device if the 

installation stage; current file signature does not correspond with the 

(d) means for providing the programmable auxiliary signature stored in said protected area, 
memory system with supervisor entered access 7. The file protection system of claim 6 which further 
criteria for access permission for read operations, includes means for locking the computer system from 
write operations and execute operations for each further activity when the current file signature does not 
one of all the files stored in said file storage device; correspond with the file signature stored in said pro- 

(e) means for requiring each user to provide to said tected area, said computer system remaining disable 
programmable auxiliary memory a valid user iden- unlocked by a person with access to a master pass- 
tification. whereupon said programmable auxiliary 35 ^ord. 

memory and control unit will indicate to the com- xhg fije protection system of claim 5 which further 

puter operating system only those of said files includes means for creating a transaction log in the 

which are accessible to that user and whether read protected storage area, said transaction log being acces- 

operations, write operations and execute opera- sible only to a person having a master password, 

tions may be performed upon said accessible files, 40 9. The file protection system of claim 5 in which said 

said auxiliary memory and control unit denying supervisor entered criteria are specific for each user or 

access to users with invalid access criteria and user group. 

refusing to write data to any of the files stored in 10. The file protection system of claim 1 which fur- 
said file storage device when operations without ther includes means for taking possession of the central 
valid access criteria have been attempted, 45 processing unit by the file security subsystem and dis- 
2. The computer file protection system of claim 1 abling all other access to said central processing unit at 
further including means for developing a file signature such time as the file security subsystem detects invalid 
for each and everyone of the files, and archiving each access criteria or an attempted unauthorized operation, 
such file signature. 
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